From 01ae105a28446799a2ec478589638506b5c1314d Mon Sep 17 00:00:00 2001 From: Ole Markus With Date: Fri, 9 Oct 2020 08:50:42 +0200 Subject: [PATCH] UseKopsControllerForNodeBootstrap instead of k8s versoin to determine secure tls --- upup/models/bindata.go | 184 +----------------- .../k8s-1.11.yaml.template | 2 + .../k8s-1.19.yaml.template | 163 ---------------- .../pkg/fi/cloudup/bootstrapchannelbuilder.go | 15 +- upup/pkg/fi/cloudup/template_functions.go | 3 + 5 files changed, 8 insertions(+), 359 deletions(-) delete mode 100644 upup/models/cloudup/resources/addons/metrics-server.addons.k8s.io/k8s-1.19.yaml.template diff --git a/upup/models/bindata.go b/upup/models/bindata.go index a5c7e974b95ff..9d08d9cc28ddc 100644 --- a/upup/models/bindata.go +++ b/upup/models/bindata.go @@ -28,7 +28,6 @@ // upup/models/cloudup/resources/addons/metadata-proxy.addons.k8s.io/addon.yaml // upup/models/cloudup/resources/addons/metadata-proxy.addons.k8s.io/v0.1.12.yaml // upup/models/cloudup/resources/addons/metrics-server.addons.k8s.io/k8s-1.11.yaml.template -// upup/models/cloudup/resources/addons/metrics-server.addons.k8s.io/k8s-1.19.yaml.template // upup/models/cloudup/resources/addons/networking.amazon-vpc-routed-eni/k8s-1.10.yaml.template // upup/models/cloudup/resources/addons/networking.amazon-vpc-routed-eni/k8s-1.12.yaml.template // upup/models/cloudup/resources/addons/networking.amazon-vpc-routed-eni/k8s-1.16.yaml.template @@ -3932,7 +3931,9 @@ spec: args: - --cert-dir=/tmp - --secure-port=4443 + {{ if not UseKopsControllerForNodeBootstrap }} - --kubelet-insecure-tls + {{ end }} ports: - name: main-port containerPort: 4443 @@ -4020,185 +4021,6 @@ func cloudupResourcesAddonsMetricsServerAddonsK8sIoK8s111YamlTemplate() (*asset, return a, nil } -var _cloudupResourcesAddonsMetricsServerAddonsK8sIoK8s119YamlTemplate = []byte(`# sourced from https://github.com/kubernetes-sigs/metrics-server/releases/download/v0.3.7/components.yaml ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - name: system:aggregated-metrics-reader - labels: - rbac.authorization.k8s.io/aggregate-to-view: "true" - rbac.authorization.k8s.io/aggregate-to-edit: "true" - rbac.authorization.k8s.io/aggregate-to-admin: "true" -rules: -- apiGroups: ["metrics.k8s.io"] - resources: ["pods", "nodes"] - verbs: ["get", "list", "watch"] ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRoleBinding -metadata: - name: metrics-server:system:auth-delegator -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: system:auth-delegator -subjects: -- kind: ServiceAccount - name: metrics-server - namespace: kube-system ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: RoleBinding -metadata: - name: metrics-server-auth-reader - namespace: kube-system -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: Role - name: extension-apiserver-authentication-reader -subjects: -- kind: ServiceAccount - name: metrics-server - namespace: kube-system ---- -apiVersion: apiregistration.k8s.io/v1beta1 -kind: APIService -metadata: - name: v1beta1.metrics.k8s.io -spec: - service: - name: metrics-server - namespace: kube-system - group: metrics.k8s.io - version: v1beta1 - insecureSkipTLSVerify: true - groupPriorityMinimum: 100 - versionPriority: 100 ---- -apiVersion: v1 -kind: ServiceAccount -metadata: - name: metrics-server - namespace: kube-system ---- -apiVersion: apps/v1 -kind: Deployment -metadata: - name: metrics-server - namespace: kube-system - labels: - k8s-app: metrics-server -spec: - replicas: 2 - selector: - matchLabels: - k8s-app: metrics-server - template: - metadata: - name: metrics-server - labels: - k8s-app: metrics-server - spec: - serviceAccountName: metrics-server - volumes: - # mount in tmp so we can safely use from-scratch images and/or read-only containers - - name: tmp-dir - emptyDir: {} - containers: - - name: metrics-server - image: {{ or .MetricsServer.Image "k8s.gcr.io/metrics-server/metrics-server:v0.3.7" }} - imagePullPolicy: IfNotPresent - args: - - --cert-dir=/tmp - - --secure-port=4443 - ports: - - name: main-port - containerPort: 4443 - protocol: TCP - securityContext: - readOnlyRootFilesystem: true - runAsNonRoot: true - runAsUser: 1000 - volumeMounts: - - name: tmp-dir - mountPath: /tmp ---- -apiVersion: v1 -kind: Service -metadata: - name: metrics-server - namespace: kube-system - labels: - kubernetes.io/name: "Metrics-server" - kubernetes.io/cluster-service: "true" -spec: - selector: - k8s-app: metrics-server - ports: - - port: 443 - protocol: TCP - targetPort: main-port ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - name: system:metrics-server -rules: -- apiGroups: - - "" - resources: - - pods - - nodes - - nodes/stats - - namespaces - - configmaps - verbs: - - get - - list - - watch ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRoleBinding -metadata: - name: system:metrics-server -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: system:metrics-server -subjects: -- kind: ServiceAccount - name: metrics-server - namespace: kube-system ---- -apiVersion: policy/v1beta1 -kind: PodDisruptionBudget -metadata: - name: metrics-server - namespace: kube-system - labels: - k8s-app: metrics-server -spec: - minAvailable: 1 - selector: - matchLabels: - k8s-app: metrics-server`) - -func cloudupResourcesAddonsMetricsServerAddonsK8sIoK8s119YamlTemplateBytes() ([]byte, error) { - return _cloudupResourcesAddonsMetricsServerAddonsK8sIoK8s119YamlTemplate, nil -} - -func cloudupResourcesAddonsMetricsServerAddonsK8sIoK8s119YamlTemplate() (*asset, error) { - bytes, err := cloudupResourcesAddonsMetricsServerAddonsK8sIoK8s119YamlTemplateBytes() - if err != nil { - return nil, err - } - - info := bindataFileInfo{name: "cloudup/resources/addons/metrics-server.addons.k8s.io/k8s-1.19.yaml.template", size: 0, mode: os.FileMode(0), modTime: time.Unix(0, 0)} - a := &asset{bytes: bytes, info: info} - return a, nil -} - var _cloudupResourcesAddonsNetworkingAmazonVpcRoutedEniK8s110YamlTemplate = []byte(`# Vendored from https://github.com/aws/amazon-vpc-cni-k8s/blob/v1.3.3/config/v1.3/aws-k8s-cni.yaml apiVersion: rbac.authorization.k8s.io/v1 @@ -21046,7 +20868,6 @@ var _bindata = map[string]func() (*asset, error){ "cloudup/resources/addons/metadata-proxy.addons.k8s.io/addon.yaml": cloudupResourcesAddonsMetadataProxyAddonsK8sIoAddonYaml, "cloudup/resources/addons/metadata-proxy.addons.k8s.io/v0.1.12.yaml": cloudupResourcesAddonsMetadataProxyAddonsK8sIoV0112Yaml, "cloudup/resources/addons/metrics-server.addons.k8s.io/k8s-1.11.yaml.template": cloudupResourcesAddonsMetricsServerAddonsK8sIoK8s111YamlTemplate, - "cloudup/resources/addons/metrics-server.addons.k8s.io/k8s-1.19.yaml.template": cloudupResourcesAddonsMetricsServerAddonsK8sIoK8s119YamlTemplate, "cloudup/resources/addons/networking.amazon-vpc-routed-eni/k8s-1.10.yaml.template": cloudupResourcesAddonsNetworkingAmazonVpcRoutedEniK8s110YamlTemplate, "cloudup/resources/addons/networking.amazon-vpc-routed-eni/k8s-1.12.yaml.template": cloudupResourcesAddonsNetworkingAmazonVpcRoutedEniK8s112YamlTemplate, "cloudup/resources/addons/networking.amazon-vpc-routed-eni/k8s-1.16.yaml.template": cloudupResourcesAddonsNetworkingAmazonVpcRoutedEniK8s116YamlTemplate, @@ -21187,7 +21008,6 @@ var _bintree = &bintree{nil, map[string]*bintree{ }}, "metrics-server.addons.k8s.io": {nil, map[string]*bintree{ "k8s-1.11.yaml.template": {cloudupResourcesAddonsMetricsServerAddonsK8sIoK8s111YamlTemplate, map[string]*bintree{}}, - "k8s-1.19.yaml.template": {cloudupResourcesAddonsMetricsServerAddonsK8sIoK8s119YamlTemplate, map[string]*bintree{}}, }}, "networking.amazon-vpc-routed-eni": {nil, map[string]*bintree{ "k8s-1.10.yaml.template": {cloudupResourcesAddonsNetworkingAmazonVpcRoutedEniK8s110YamlTemplate, map[string]*bintree{}}, diff --git a/upup/models/cloudup/resources/addons/metrics-server.addons.k8s.io/k8s-1.11.yaml.template b/upup/models/cloudup/resources/addons/metrics-server.addons.k8s.io/k8s-1.11.yaml.template index d5e7902db5513..a895546094d86 100644 --- a/upup/models/cloudup/resources/addons/metrics-server.addons.k8s.io/k8s-1.11.yaml.template +++ b/upup/models/cloudup/resources/addons/metrics-server.addons.k8s.io/k8s-1.11.yaml.template @@ -90,7 +90,9 @@ spec: args: - --cert-dir=/tmp - --secure-port=4443 + {{ if not UseKopsControllerForNodeBootstrap }} - --kubelet-insecure-tls + {{ end }} ports: - name: main-port containerPort: 4443 diff --git a/upup/models/cloudup/resources/addons/metrics-server.addons.k8s.io/k8s-1.19.yaml.template b/upup/models/cloudup/resources/addons/metrics-server.addons.k8s.io/k8s-1.19.yaml.template deleted file mode 100644 index ef5bfbf3237fd..0000000000000 --- a/upup/models/cloudup/resources/addons/metrics-server.addons.k8s.io/k8s-1.19.yaml.template +++ /dev/null @@ -1,163 +0,0 @@ -# sourced from https://github.com/kubernetes-sigs/metrics-server/releases/download/v0.3.7/components.yaml ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - name: system:aggregated-metrics-reader - labels: - rbac.authorization.k8s.io/aggregate-to-view: "true" - rbac.authorization.k8s.io/aggregate-to-edit: "true" - rbac.authorization.k8s.io/aggregate-to-admin: "true" -rules: -- apiGroups: ["metrics.k8s.io"] - resources: ["pods", "nodes"] - verbs: ["get", "list", "watch"] ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRoleBinding -metadata: - name: metrics-server:system:auth-delegator -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: system:auth-delegator -subjects: -- kind: ServiceAccount - name: metrics-server - namespace: kube-system ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: RoleBinding -metadata: - name: metrics-server-auth-reader - namespace: kube-system -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: Role - name: extension-apiserver-authentication-reader -subjects: -- kind: ServiceAccount - name: metrics-server - namespace: kube-system ---- -apiVersion: apiregistration.k8s.io/v1beta1 -kind: APIService -metadata: - name: v1beta1.metrics.k8s.io -spec: - service: - name: metrics-server - namespace: kube-system - group: metrics.k8s.io - version: v1beta1 - insecureSkipTLSVerify: true - groupPriorityMinimum: 100 - versionPriority: 100 ---- -apiVersion: v1 -kind: ServiceAccount -metadata: - name: metrics-server - namespace: kube-system ---- -apiVersion: apps/v1 -kind: Deployment -metadata: - name: metrics-server - namespace: kube-system - labels: - k8s-app: metrics-server -spec: - replicas: 2 - selector: - matchLabels: - k8s-app: metrics-server - template: - metadata: - name: metrics-server - labels: - k8s-app: metrics-server - spec: - serviceAccountName: metrics-server - volumes: - # mount in tmp so we can safely use from-scratch images and/or read-only containers - - name: tmp-dir - emptyDir: {} - containers: - - name: metrics-server - image: {{ or .MetricsServer.Image "k8s.gcr.io/metrics-server/metrics-server:v0.3.7" }} - imagePullPolicy: IfNotPresent - args: - - --cert-dir=/tmp - - --secure-port=4443 - ports: - - name: main-port - containerPort: 4443 - protocol: TCP - securityContext: - readOnlyRootFilesystem: true - runAsNonRoot: true - runAsUser: 1000 - volumeMounts: - - name: tmp-dir - mountPath: /tmp ---- -apiVersion: v1 -kind: Service -metadata: - name: metrics-server - namespace: kube-system - labels: - kubernetes.io/name: "Metrics-server" - kubernetes.io/cluster-service: "true" -spec: - selector: - k8s-app: metrics-server - ports: - - port: 443 - protocol: TCP - targetPort: main-port ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - name: system:metrics-server -rules: -- apiGroups: - - "" - resources: - - pods - - nodes - - nodes/stats - - namespaces - - configmaps - verbs: - - get - - list - - watch ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRoleBinding -metadata: - name: system:metrics-server -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: system:metrics-server -subjects: -- kind: ServiceAccount - name: metrics-server - namespace: kube-system ---- -apiVersion: policy/v1beta1 -kind: PodDisruptionBudget -metadata: - name: metrics-server - namespace: kube-system - labels: - k8s-app: metrics-server -spec: - minAvailable: 1 - selector: - matchLabels: - k8s-app: metrics-server \ No newline at end of file diff --git a/upup/pkg/fi/cloudup/bootstrapchannelbuilder.go b/upup/pkg/fi/cloudup/bootstrapchannelbuilder.go index f491e3f65f3c6..74866e3fbc3af 100644 --- a/upup/pkg/fi/cloudup/bootstrapchannelbuilder.go +++ b/upup/pkg/fi/cloudup/bootstrapchannelbuilder.go @@ -577,20 +577,7 @@ func (b *BootstrapChannelBuilder) buildAddons(c *fi.ModelBuilderContext) (*chann Version: fi.String(version), Selector: map[string]string{"k8s-app": "metrics-server"}, Manifest: fi.String(location), - KubernetesVersion: "<1.19.0", - Id: id, - }) - } - { - location := key + "/k8s-1.19.yaml" - id := "k8s-1.19" - - addons.Spec.Addons = append(addons.Spec.Addons, &channelsapi.AddonSpec{ - Name: fi.String(key), - Version: fi.String(version), - Selector: map[string]string{"k8s-app": "metrics-server"}, - Manifest: fi.String(location), - KubernetesVersion: ">=1.19.0", + KubernetesVersion: ">=1.11.0", Id: id, }) } diff --git a/upup/pkg/fi/cloudup/template_functions.go b/upup/pkg/fi/cloudup/template_functions.go index cc0d7947b50f9..a4daf98519e1d 100644 --- a/upup/pkg/fi/cloudup/template_functions.go +++ b/upup/pkg/fi/cloudup/template_functions.go @@ -131,6 +131,9 @@ func (tf *TemplateFunctions) AddTo(dest template.FuncMap, secretStore fi.SecretS dest["ProxyEnv"] = tf.ProxyEnv dest["KopsSystemEnv"] = tf.KopsSystemEnv + dest["UseKopsControllerForNodeBootstrap"] = func() bool { + return tf.UseKopsControllerForNodeBootstrap() + } dest["DO_TOKEN"] = func() string { return os.Getenv("DIGITALOCEAN_ACCESS_TOKEN")